Fair Use: Please note that use of the Netcraft site is
subject to our Fair Use and Copyright policies. For more information,
please visit http://www.netcraft.com/about-netcraft/fair-use-copyright/,
or email info@netcraft.com.

Symantec: New Virus Deletes All Files

The virus that "deletes your whole hard drive" has been a staple in dozens of e-mail hoaxes that have circulated the Net in recent years. In the real world, such viruses are few and far between. According to Symantec, the new VBS.Pub is just such a beast.

The malware targets Windows computers, and arrives in an email bearing the subject "Re" and an attachment that will have an .asp, .hta, .htm, .htt, .html, .vbe or .vbs extension.
Upon infection, the virus uses Microsoft Outlook to send itself to everyone in the Microsoft Outlook Address Book. "If the day is the 6th, 13th, 21st, or 28th, the worm will delete all the files from the computer," Symantec reports. Despite its nasty payload, SANS notes that VBS.Pub "doesn't possess any earth-shattering characteristics to make it a significant propagation threat."

In recent years, malware writers have found it more useful to control machines than destroy them, using a compromised computer's Internet connection to deliver spam or mount denial of service attacks. Disabling the host machine also impedes the spread of the virus.

VBS.Pub solves that problem with a time-release payload that mimics the CIH/Chernobyl virus, one of the Net's most destructive viruses. Chernobyl began circulating in 1998, and featured a payload that was triggered on April 26, 1999, the anniversary of the Chernobyl nuclear accident, and in some versions was reactivated on the 26th of every month. CIH overwrote data on an infected machine's hard drive, leaving most unusable.